Responsibility and Resilience

Over the past year, I have seen a far stronger adjacency between the terms of Cybersecurity and Corporate Digital Responsibility, or Digital Responsibility. Yet if I talk to IT Security purists, they will perhaps challenge the relationship. I thought it would be interesting to compare and contrast the subjects.

Lets start with Cybersecurity – what is it? “Cybersecurity is the security as it applies to information technology”, says the definition on wikipedia. The definition goes on to say “the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy, and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals” – in short anything and everything that might compromise the ongoing ability of an organisation or its employees to deliver products and services in a sustainable way to its customers. It is not just about technology, nor theft of data, nor just hacking … it’s about safeguarding the way in which we work together as a connected society. This means considering ?the people, risk, behaviours and processes which enable responsible organisations to improve their resilience in todays world of ongoing disruptive change.

So against that backdrop, how do the Seven Principles of the International CDR Manifesto guide us to consider a more holistic approach to protecting the long term sustainability and resilience of an organisation. Let us take each in turn.

1.????Purpose and Trust

Clarity about the defining purpose of an organisation and what it does to create, maintain and sustain consumer trust surely has a strong relationship with Cybersecurity. Reputational damage for data leaks has been front page news, as will imminently the consequence of biased algorithms or negative environmental impacts. The Swiss Digital Initiative has launched a consumer trust label based on an organisations mitigations of many of these areas for example, how they manage data, how they protect privacy and their protection levels in place.

Furthermore the concept of the Digital Ethics Advisory Board is to directly guide the CEO and Board of any organisation in the risks associated with planned product or company strategy. It directly links to the management of the risk profile of the organisation, and the potential reputational, investment or resource challenges it might face. Responsible organisations go further by measuring their security posture against these challenges to ensure security spend is prioritised to underpin the strategic direction of the business and the threats it faces to achieve this. ?

In advocating the relevant and appropriate regulations and policy, the CDR Manifesto also seeks to influence the right balance of controls relevant to a regional or ideally global landscape. The complexity of multiple vertical and horizontal regulations, with the variety of political influence and bias makes it a minefield to navigate. Nonetheless, collaboration between business and policy to both jointly, and practically, protect and promote innovation is a necessary feature, as put forward in Joe Zammit-Lucia ’s recent book “The New Political Capitalism”.

2.???Fair and Equitable Access for All

It is a legal requirement (in many geographies) to ensure that products and services are accessible and inclusive – yet of course, we should also add and EASY to use to that. In a Digital Adoption Survey of 2017, rates of adoption are accelerated if the benefit is convenience or improved health. Too many of our business and consumer technology products are too complex. Certainly, the security market is a crowded place with many technologies sold on the basis of product features, rather than how they can be used to improve overall security performance and resilience. Complexity introduces risk, not only for the consumer, but affecting how these products are conceived and sold too.

Diverse thinking delivers better outcomes (Rebel Ideas, Matthew Syed, 2019). Whilst the principle is clearly driven by ensuring all elements of society gain value from the products and services designed, then it is also undoubtedly true that the potential threats or vulnerabilities are equally more likely to be considered by a more diverse product team. Whether that diversity is gender, cultural, skills or perspective is to some extent irrelevant in this context – just that better results are likely to occur in the context of both the delivered product or service, and its resilience.

3.???Promote Societal Wellbeing

This is probably the most explicitly obvious link to Cybersecurity as it covers Data Privacy and Strong Data Governance. And whilst they are clearly both critical, we can also point to the importance of Digital Maturity and Digital Wellbeing. Equipping both communities and society with the skills, inspiration and knowledge ?to more effectively protect their information and systems is a key area of improved Cybersecurity. Indeed, having the data needed to make defensible cybersecurity decisions is a key attribute of responsible organisations. Many attacks are still dependent on consumer lapses, or ever more subtle tricks through phishing and whaling. Addressing and improving Digital Poverty is a key component of the push to minimise the likelihood of both consumer and business cyber attacks.

4.???Consider Economic and Societal Impact

Many years ago, I was involved in delivering the technology for the Olympic Games. I remember having conversations with organisations that had increasingly adopted automation yet still had to ensure that their business operations were resilient and delivered no matter what happened. That was of course the primary challenge for the Olympics – protecting the operational event.

Similarly Sustainable Automation looks to consider not only the impact on the individuals – training, redeployment, wider opportunities across society, but also the business itself. There is no point in automating everything, if there is no fall back, no contingency if things are compromised. Intelligent Automation is a top priority for many CIOs at the moment, but also for CISOs too, where the move to cloud offers benefits for improving security operations as well as the resilience and sustainability for the organisation overall.

Similarly to the Societal Wellbeing principle, there is also a strong focus here on data and algorithms, but primarily focused on authenticity (verified and permissible) and on appropriate data ownership. A particular irritation for me at the moment is the misuse of cookie notices on websites – typically being neither simple to understand or easy to reject. These are at the heart of the protection of data, and indeed automated decisions made on the back of that data.

5.???Accelerate Progress with the Impact Economy

The intersection of economic benefit with environmental is perhaps the area that is more distant from a Cybersecurity focus, yet actually there is an important point to make about partner ecosystems.

How do you, as an international enterprise organisation, effectively hook into start-ups, accelerators and incubators that have emerging technology solutions that can assist in your journey? Whilst I often illustrate this principle with Greentech organisations, it is equally true of the broader cyber and emerging tech space. Getting the most from the cybersecurity Industry in specialist areas such as CISO performance assessment is key. Not all great ideas start in big organisations.

If we consider carbon trading and carbon offset, then this too is a space that can be subject to mis-selling, and external influences. The point behind the CDR framework is to consider pragmatic actions executed with integrity to make a real difference to people and planet. Similarly the undue influence of consumer behaviours for profit rather than impact is another common pattern of business that could be considered as a risk to reputation and trust.

6.???Creating a Sustainable Planet to Live

There are some incredible ideas being floated around at the moment – in the past few weeks I have been on calls or read articles that have considered a protective dust layer around the planet, a control to “turn down the sun”, capturing carbon out of the atmosphere and turning into diamonds and many more.

In truth these are critical. There are many of us who consider that the behaviours of Net Zero are important, but they will not solve the situation in a way that has a positive outcome for humanity as a whole. So we need to innovate and we need to solve challenges such as sustainable waste management, climate change, resource scarcity and biodiversity in addition to societal cohesion and economic challenges.

In the design and delivery of these innovative solutions, it will again be critical to understand the threat and protection of those technology powered solutions, ESPECIALLY where they relate to globally impacting critical infrastructures.

The work of the UN backed CODES initiative in driving a digital transformation of the planet, based around aggregating massive data sets, and creating a global sandpit/ digital twin enabling other parties to innovate and solve is fantastic and to be applauded, but of course also critically relies on appropriate protections and security of the information shared and around which innovative solutions are based. It should be emphasised that whilst the initial focus of the CODES Action Plan was a sustainable planet – the plan covers more than environmental, and echoes the need for sustainable communities and society.

?7.???Reduce Tech Impact on Climate and Environment

We could of course talk about the Scope 1, 2, 3 measurement of carbon emissions and appropriate recycling and re-use, but most importantly is to maintain a balance between understanding and measuring the consequential impact of technologies and understanding how the cyber risk may or may not evolve due to the changes.

How many years have we heard concerns about the shift to Cloud, yet most cloud solutions are likely to be more secure than many none-cloud, yet now we are also overlaying a measure of energy use. Concerns are expressed on the current energy demands of many blockchain and crypto solutions yet on the other hand blockchain is promoted as one of the innovative technologies promoted to solve some challenges – eg. biodiversity and protection of wildlife – in Principle 6 above.

An academic study from Canada in 2017 measured the relative energy use of coding languages, which in essence showed that older languages (eg. C) used less energy than more modern iterations (eg. Python 75x) – yet it is unlikely that we will suddenly revert en masse to the 1980 technologies despite the current threat profile probably being lower than more modern tech.

A point to note should be to consider the costs of designing security in, the costs in environmental terms. To consider issues such as energy use, renewables (truly tracked renewables) and more in the solutions we use to manage the evolving threats. But as an aside, in the procurement of your security solutions, what do you ask in terms of environmental impact questions – either in the context of the product or the supplying business?

---------------------------------------------------------------------------------------------------------------

In protecting any business, it is the responsibility of the CEO and the Board to represent the shareholders and ensure that there is a viable and sustainable business that maintains consumer trust, investors belief in long term sustainability and that increasingly – in the eyes of your future talent – is seen as purpose led and acting with integrity.

Cybersecurity is the key to protecting that business and its information assets, subject to the behaviours and actions of the people, functions and processes of your business. It is most certainly not just software licences, SOCs, threat intelligence, virus checkers and more – though of course it includes all of those. It is not also not an exact match to Corporate Digital Responsibility, but in writing this article, it seems indisputable that there is a strong affinity across the principles that can guide any organisation in managing a holistic threat analysis and response that keeps you going. Safe, Secure and positively impacting your customers, and with luck, communities, society and the planet.

Resilience and Responsibility, inevitably entwined.

Photo by?Craig Ren?on?Unsplash